Social Engineering: What is Whaling ?
A whaling attack is a social engineering technique involving scam emails imitating senior individual messages to target high-ranking executives. As such, it’s a form of executive phishing, like spear phishing. However, whaling specifically targets one high-profile employee.
What is whaling?
A whaling attack is a form of phishing attack usually using fraudulent emails which target executives or managers. The technique is similar, but the fish is bigger. While phishing scams get sent massively, a whaling attack targets specific individuals considered as ‘whales’ due to their high rank in a valuable organization (CEO, top-level executives). By impersonating a CEO or a top-level executive, cybercriminals try to trick their victims into doing unfavourable actions. They usually try to get large wire transfers, sensitive information or insert malware with fraudulent links. The latter two mean that this social engineering technique can have longer-term consequences, because the cybercriminals can launch further attacks with the data retrieved from a whaling attack.
How to identify whaling attacks ?
It can be hard to identify a whaling attack. Cybercriminals put a lot of effort into elaborating these scams as the returns can be huge. In the past, they have tricked many highly-educated employees and caused substantial losses for their companies. To avoid this, organisations with sensitive information or a high monetary value should keep their employees informed about social engineering tactics.
How to recognize whaling scams emails ?
Whaling emails can display the following characteristics :
- Personalisation: The email sent to initiate the whaling attack will most likely include personalised information about the impersonated CEO or senior executive, the victim (a manager or another executive), or the organisation to create a sense of familiarity.
- Urgency: Whaling scams emails conveying urgency can get the victim to act before thinking of security practices. Attackers often try to frighten victims using powerful personas (CEO, top level executives). Those persons are difficult to disobey.
- Language: Business language and tone are often used to convince the victim that the email has been sent from a high-ranked individual. The attackers often use a scenario in which they ask the victim to do a low-effort action (such as a quick money transfer to a supply partner) based on a fake threat. They may also emphasize confidentiality, so that the victim avoids speaking about the email they have received. No one can thus tell them that this email is a whaling attack.
- Legitimate signature: The attackers may use a believable email address, signature, and a link leading to a fraudulent website. We will show you how to recognize these further down the article.
- Files & Links: Cybercriminals may use attachments or links to insert malware or to request sensitive information. Even if nothing happens when the targetted manager clicks a link or submits information on its website, it could trigger a hidden malware download.
Whaling attacks examples
- From ‘within’ the company
In 2016, a top finance executive of Mattel got a fraudulent email from someone impersonating the new CEO. This email contained a regular request for a transfer in favour of a new vendor payment to China. After the victim fell into the phishing scam, the company lost $3 million. They managed to get all the money back after an arduous fight.
- From a third party
The following email scam tricked a handful of executives from different industries. The cybercriminal sent a fake email from the United States District Court with a subpoena to appear before a grand jury in a civil case. The emails included the executives’ names, companies, and phone numbers, deceiving them that it was official. When they clicked on the link for the subpoena, they got malware.
- With phone calls
The National Cyber Security Centre (NCSC) of the United Kingdom confirms that phone calls from the cybercriminal authors can back the whaling attack itself. A simple trick such as this can make their scam believable. Fortunately, there are ways to prevent falling for one.
How to protect yourself from a whaling attack ?
In addition to making them lose money or data, whaling attacks can affect the reputation of the victim and their organisation. Some companies have fired some of their employees because they had fallen for social engineering tactics. For instance, FACC have given the sack to their CEO for this reason. Unfortunately, according to HP, these kinds of cybersecurity attacks increase year after year along with their targeted victims.
To avoid being part of the victims of whaling attacks statistics, we recommend following these tips:
There are different types of whaling attacks and that they can be difficult to spot. When receiving a particular request, remember to:
- Double-check the sender’s email if it’s sent from a colleague, especially if it’s a high ranking executive in your organization. When the email comes from a third party, search for the authentic email address of this company and compare the two of them.
- Check if the domain on the link corresponds to the domain name of the company it’s meant to be sent from. If it differs, even slightly, it probably means it’s a fake email trying to impersonate an email from this company. If so, there is probably an associated fraudulent website you must avoid connecting to. Hover over the embedded link with your mouse. You should see the associated domain name appearing at the bottom-right corner of your browser, so you can compare it with the actual domain name of this company.
- Check the suspicious website’s domain age to see if it matches the trusted one. If the suspicious domain is younger, then you should not trust it.
- Question the validity of any request for money or sensitive information, even if it’s coming from one of your managers. In case of any doubt, do not hesitate to contact him directly by phone to get his confirmation.
Know the power of social media
Anything posted online can work against you. A whaling attack email could be personalised with photos, names, dates, and many other details found on social media. Cyberattackers also commonly use published content published following conferences or company events, meaning that employees should pay extra attention to potential scams after participating in these, since scammers could likely refer to them.
A good practice is to set personal social media accounts to be private. However, it does not fully protect from content published by the company’s public channels (newsletters, social media, website, etc.). The next tip can help with this issue.
Adopt company-wide data protection policies
A common understanding of what type of information can be shared publicly prevents cyber attackers from using it. By establishing cybersecurity best practices within your company, you can develop a sense of responsibility and accountability among your teams. Therefore, these policies can protect your company against whaling attacks or even spear phishing attacks, and help you avoid substantial losses.
Some data protection policies that companies take against whaling attacks are:
- Flag third party emails: makes it easier to identify email scams pretending to be sent from colleagues, managers or other senior executives.
- Verify requests: when getting particular or urgent requests from a manager’s or high-ranking executive’s email, it is a good idea to confirm who’s the actual sender with them. Talking in person, via a message, or a call can reassure you that it is not a scam.
- Multi-step verification: any request for a wire transfer or sensitive information should go through various checks with different people before being operated. For example, having two people sign each high-value money transfer is a simple step that goes a long way. It also lowers the fear factor of being the only accountable employee for such transactions, allowing more clarity needed when making important decisions.
Anti-social engineering tools and courses
Scammers will always be a step ahead of the restrictions they face. Using tools and cybersecurity courses can help you identify the patterns of their tricks and prevent whaling attacks as much as possible. For example, a good practice could be for the IT department to send out fake whaling attacks emails to the company teams. By testing their reactions and giving them advice in the feedback of this simulation, the company can train its employees to adopt a safer behaviour.
As for tools, there is anti-phishing software that can recognize fraudulent links and malware downloads. Also, a secure and private email provider, such as Mailfence, can keep away spam, ads, trackers, hackers and solicitations. Such tools can give users peace of mind from many social engineering tricks.
What to do if you fell for a whaling attack ?
If you suffered from whaling or any other social engineering attack and/or your email got hacked, read our blog post on Steps to take when your email is hacked. It explains how to control the damage, report it and prevent future hacking attacks.
If you were using a work device or account, communicate with your supervisor and the IT department as soon as possible. They will then be able to alert other employees and ensure that everything stays secure. Also, the sooner you report the incident, the less time the attackers have to worsen the damage. Your organisation can set up a complete communication plan involving all affected parties earlier on.
How to prevent other types of social engineering ?
The best way to prevent social engineering attacks is to get informed. For this purpose, Mailfence created a free and easy-to-follow Email security and privacy awareness course.
The course helps users understand their threat profile to know which tips they need. Based on that, a series of articles by Mailfence share knowledge on different levels of security against cyber threats found in emails.
Check out this article on how to avoid social engineering schemes.
– Mailfence Team